{"id":"AZL-51284","summary":"CVE-2024-47702 affecting package kernel 6.6.126.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n  commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n        r2 = *(s32 *)(r1 + 76) /* load __sk_buff-\u003edata */\n        r3 = *(u32 *)(r1 + 80) /* load __sk_buff-\u003edata_end */\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto +1\n        ...\nNote that __sk_buff-\u003edata load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n        r2 = *(u64 *)(r1 +208)\n        r2 = (s32)r2\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto pc+1\n        ...\nNote that 'r2 = (s32)r2' may make the kernel __sk_buff-\u003edata address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n        void *data = (void *)(long)skb-\u003edata;\n        void *data_end = (void *)(long)skb-\u003edata_end;\n        ...\nand it will generate\n        r2 = *(u64 *)(r1 +208)\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto pc+1\n\nIf we allow sign-extension,\n        void *data = (void *)(long)(int)skb-\u003edata;\n        void *data_end = (void *)(long)skb-\u003edata_end;\n        ...\nthe generated code looks like\n        r2 = *(u64 *)(r1 +208)\n        r2 \u003c\u003c= 32\n        r2 s\u003e\u003e= 32\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto pc+1\nand this will cause verification failure since \"r2 \u003c\u003c= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n  r2 = *(s32 *)(r1 + 76) /* load __sk_buff-\u003edata */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n  [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/","modified":"2026-04-01T05:17:42.345657Z","published":"2024-10-21T12:15:06Z","upstream":["CVE-2024-47702"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47702"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"6.6.126.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-51284.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}